2011年4月1日 星期五

one time password

由於常常有機會從外面的電腦甚至是網咖連回家中的 server,很容易就會被 keylogger 記錄起使用者及密碼,若改用 public key 則要隨身攜帶隨身碟之類的,滿麻煩。所以最好用的應該就是 OTP( one time password) 了,在第一次設好後,將一部份的密碼印出來在紙上,隨身攜帶,平時還是使用帳號及密碼登入系統,若是在不安全的電腦上,就直接按 Enter 跳過帳號密碼登入,接下來會出現 otp 的登入訊息。

在 debian 上步驟如下:
    # apt-get install opie-server opie-client
    # vi /etc/pam.d/sshd
    change
    @include common-auth
    to
    auth    sufficient      pam_unix.so nullok_secure
    auth    sufficient      pam_opie.so
    auth    requisite       pam_deny.so
    auth    required        pam_permit.so
    auth    optional        pam_ecryptfs.so unwrap


    並且要修改 ssh server 的設定檔,這樣才會出現 otp 的密碼訊息
    # vi /etc/ssh/sshd_config
    ChallengeResponseAuthentication yes
    and restart sshd
    # /etc/init.d/ssh restart



    第一次要先用 opiepasswd 初始密碼
    The OPIE services must be initialised with the command: (run by user which wanna login)
    in opie server:
    $ opiepasswd -c
    to allow users to log-in with OTPs
    Updating behappy:
    Only use this method from the console; NEVER from remote. If you are using
    telnet, xterm, or a dial-in, type ^C now or exit with no password.
    Then run opiepasswd without the -c parameter.
    Using MD5 to compute responses.
    Enter old secret pass phrase:
    Enter new secret pass phrase:
    Again new secret pass phrase:

    ID behappy OTP key is 499 po9644
    BABY JACK FIGS KYLE SOCK RAKE

    列出20組密碼隨身攜帶:
    get the password list:
    $ opiekey -n 20 499 po9644
    Using the MD5 algorithm to compute response.
    Reminder: Don't use opiekey from telnet or dial-in sessions.
    Sorry, but you don't seem to be on the console or a secure terminal.
    Warning: Continuing could disclose your secret pass phrase to an attacker!
    Enter secret pass phrase:
    480: SITS DUE ALVA BEEN WOO OBOE
    481: WADE GLUM NOVA THAN OVEN HAAS
    482: REAL LET CON VETO BLOW MOSS
    483: IRIS LUGE FAT RECK CORN ARGO
    484: HUGH LUG EDGE JEFF FOLK HATH
    485: ODE TEND MIKE FIR FATE DAYS
    486: WAND PUB OHIO JOY EMIL COCA
    487: IRK SOB CUBA KALE OAK COAT
    488: SOFA MIRE LEER BOP OTT JAM
    489: LOAD HOW SWAT OWL MILT AIDA
    490: OUT LEAR CRAG LOON LUND MONK
    491: NEWT BOLT SANK HURD BUG DEAN
    492: SET ANTI DEAL CAST JAIL ROBE
    493: REAL BEER ROVE CUFF RET MUG
    494: NON RAID ETC ROB HAVE YARN
    495: BOON CAW RUE LAM LATE HOCK
    496: FIRM HARK EM ALTO NOW FRY
    497: GOOF WEAL SHAM OAR LACY RILL
    498: EST PAY WAG GOLF PA ART
    499: BABY JACK FIGS KYLE SOCK RAKE

    在外面用 ssh 登入時,一開始還是和平常一樣,要你輸入原本系統的密碼,這時直接按 Enter 跳過,再來就是 otp 的訊息了,出現了 497 號,所以查看列出來的 497 組密碼,全部輸入即可登入。
    $ ssh localhost
    Password: [ just press enter to skip normal login]
    otp-md5 497 po9644 ext, Response: [ key in the number 497 above ]

    You have mail.
    Last login: Fri Apr  1 00:56:48 2011 from pony

    yes, it works.
    不會很難地。